Re: [Dovecot] Authentication by certificats (a bug or my misconfiguration)
Hi Alexander,
Thanks for the quick reply; rearranging the certs didn't seem to do much for the setup; I guess I'm getting one thing wrong, which was the cause for my followup. How can I make dovecot only rely on cert and no furhter authentication for giving access to the user, when making dovecot lift the user ID from the client cert?
Hmm, i don't think that's the reason for the "invalid certificate" error. Another question: are the clientcertificates and the servercertificate signed by the same CA?
In case you want the ssl-verify error in the logfiles:
in src/logincommon/ssl-proxy-openssl.c, line 607
change: i_info("Invalid certificate: %s", buf); to: i_info("Invalid certificate: %s: %s, X509_verify_cert_error_string(ctx->error) ,buf);
should help, (tested on beta8) (don't forget to recompile, install, restart ;-))
success!
--
groeten,
HenkJan Wolthuis
HenkJan Wolthuis wrote:
Hi Alexander,
Thanks for the quick reply; rearranging the certs didn't seem to do much for the setup; I guess I'm getting one thing wrong, which was the cause for my followup. How can I make dovecot only rely on cert and no furhter authentication for giving access to the user, when making dovecot lift the user ID from the client cert?
Hmm, i don't think that's the reason for the "invalid certificate" error. Another question: are the clientcertificates and the servercertificate signed by the same CA?
The root CA has generated the intermediate CA which in turn is used to generate both the client and server certificates. The CA has also generates the ca.crt, which contains the intermediate CA, then the root CA and then the CRL. All in PEM format.
Part of what I'm trying is to make the user virtual, i.e. the user from the client certificate does not exist on the machine, which may also be part of what throws it off?
The same setup works for postfix for relaying without SSL errors.
When testing the same setup with evolution I get this in the log:
Jul 11 10:26:18 friends dovecot: imap-login: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [217.13.24.22]
if that helps any?
In case you want the ssl-verify error in the logfiles:
in src/logincommon/ssl-proxy-openssl.c, line 607
change: i_info("Invalid certificate: %s", buf); to: i_info("Invalid certificate: %s: %s, X509_verify_cert_error_string(ctx->error) ,buf);
should help, (tested on beta8) (don't forget to recompile, install, restart ;-))
success!
I'll patch up my dovecot a bit later, have a grumpy customer to tend to now. :)
Thanks a lot for the quick replies.
-A :)
HenkJan Wolthuis wrote:
In case you want the ssl-verify error in the logfiles:
in src/logincommon/ssl-proxy-openssl.c, line 607
change: i_info("Invalid certificate: %s", buf); to: i_info("Invalid certificate: %s: %s, X509_verify_cert_error_string(ctx->error) ,buf);
should help, (tested on beta8) (don't forget to recompile, install, restart ;-))
success!
Basicailly, as you suggested offline, this is the solution:
OK, maybe openssl needs crl's for all ca-certificates? (i don't have experience with intermediate ca's or ca-chains.) so the neworder in the ssl_ca file would be: 1 intermediate ca 2 root ca 3 intermediate-crl 4 root crl
And Bob's your aunt. It works like a charm here now. :)
-A
participants (2)
-
Alexander Hoogerhuis
-
HenkJan Wolthuis